Do I have to install the duo software on EVERY server that is a member in the domain?

Do I have to install the duo software on EVERY server that is a member in the domain?

I was hoping I could install Duo on only the Domain Controller & have Duo enforced via Admin OU group policy for domain admin group members for local server login & RDP login, Servers & workstations login via an domain admin account in the DUO OU MFA group… It looks like the weakness of DUO is the configuration has to be 100% perfect on all domain devices (Servers & workstations) to be totally secured with MFA…

It is accurate that Duo protection for Windows Logon protects the system where it is installed, and Duo does not have an offering that you would apply to a domain controller or install in your AD schema to apply 2FA to user logins to AD from any source (an example product that does this is AuthLite).

You don’t have to install the Duo software on every server in the domain unless you want Duo 2FA at login for every server in your domain.